We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Remote Desktop Services, VPN and secure connection(s)

Medium Priority
936 Views
Last Modified: 2012-08-14
We are testing windows 2008 remote app services. We have 2 needs.  First, remote offices need access to a SQL application that can only run on the HQ lan so we are planning on utilizing remote app.  Second, remote offices also need access to network files to be able to open on their local machine.  

We started testing with using the same box for VPN and RDS.  The idea is that the users connect via VPN so that they can access network files locally by mapping the network share. Then to access the HQ application they use remote app.  The W8K box sits behind the firewall with VPN ports forwarded. So far we have it set up so the the remote app only is accessible when a VPN connection exists. Because we don't have two form factor authentication VPN port access on the firewall is locked down to users IP addresses.  This controls what locations can use VPN and since the remote app only connects using a LAN machine name this control access to the application. Does this sound like the best method to address both issues?


I have read that using the TS Gateway that RDP sessions can be secured communications channel because traffic is encrypted over HTTPS (443).  If I block 3389 on the firewall then the users cannot connect.  Is this only a feature that works in conjunction with TSWEB?  When a user connects using RDP (either through the VPN or without VPN) I see no 443 traffic.  It would be nice to be able to create RDP sessions for remote apps without having to crate a VPN connection.  How can a be assured the traffic is being encrypted?  I have used TCPView and Etherreal to view the traffic and I don't see 443 traffic using the RDP to connect directly to the TS server.  

Can a user access a network files over RDP and open the file using their local application or will we need VPN for that?
Comment
Watch Question

Rob KnightConsultant
CERTIFIED EXPERT

Commented:
Hi,

If you re-direct local drives, you can open local files with the Remote App.

You can force additional protection of the RDP session by enabling TLS, NLA and FIPS encryption - this would then be encapsulated to the TS Gateway - comms between the TS Gateway and the RD Server are over 3389.

I believe that the TS GAteway settings need to be configred before the remote app installer is generated - make sure that the TS Gateway is specified and that bypass isn;t enabled.

Regards,


RobMobility.
I wouldn't expose companies internal application or files to Internet even through HTTPS . I think VPN is the security that you need.  As for TS web , I think it works along with usual RDP ; it just makes it easier for people to click on an application but still it launches RDP to connect , so that it will need VPN to access local resources.

see this one :
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/bcc759bf-ac45-4ad6-bd63-ad5635b26884/

and this one :
http://social.technet.microsoft.com/Forums/en/winserverTS/thread/51937b87-b1fc-4028-aa1d-c6bc4955ebd2

Author

Commented:
RobMobility,  As for accessing the files it is the other way around from what you have descirbed.  We need to re-direct remote (HQ) drives so that users can use local apps. Ex.  Opening a spreadsheet that is on the HQ network.

Can I use the TS Gateway to be able to connect to another workstation via RDP without having to RDP to the TS first (without using TS Web or VPN)?  I thought I read that I could do this via TS Gateway.  

Example: remote office --->> internet --->> HQ firewall --->> workstation

Author

Commented:
Ok, asked too soon. I found where to put the TS Gateway settings in RDC (see below).  Now, Can I specify a different port number other then 3389 for the TS Gateway?




1.   Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

2.   In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.

3.   On the Advanced tab, in the Connect from anywhere area, click Settings.

4.   In the Gateway Server Settings dialog box, select the appropriate options:

·        Use these TS Gateway server settings. You select this option and specify the name of the TS Gateway server that you want to connect to and the logon method to use for the connection. Note that when you specify a name for the TS Gateway server, you must use a fully qualified domain name (FQDN). as "MyTSGatewayServername.MyCompany.com" but without the https://www. prefix infront..

·      Bypass TS Gateway server for local addresses. This option is selected by default.  Please uncheck this checkbox.

5.   Click OK.

Author

Commented:
RobMobility,

In the past we have avoided mapping the client drive over RDP for security reasons.  Plus transferring a file via RDP is slow.  I haven't bench marked file transfer  RDP vs. VPN yet.
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
oneitnz,  Thanks for the reply.  concise and to the point.

So to use port 443 do we have to use TSWeb?

Does putting the gateway information in the RDC client force the client to use port 443 or is it still using 3389 and just bypassing logging directly in to the TS.

The only problem with doing everything on the terminal server (for us) is that then we would have to buy new licenses for MS Office (the retail version of MS Office 2010 will not install on a TS, apparently a special version i needed, plus we have a mix of 2003 and 2010),  management denied funding for new Office for TS. I have suggested Open Office but our users are too hooked in to MS Office and our accounting dept needs Excel because of a special accounting add-on.  

There are multiple solutions for this issue but I have to do it as low cost as possible (ie. do more with less, the story of the century).  So bells and whistles are out the door (ie. no sharepoint, document management system, etc.)

Commented:
Hi PlazaProp
Just to confirm once you have tested and confirmed that you can connect via the RD Gateway server you will no longer need to have port 3389 open on the firewall to the outside, all traffic will be proxied over port 443.

No you don't need to use the TSWeb that is just installed along with it, I'm not sure if you could just stop the IIS Site so that people couldn't reach your TSWeb site if thats what your wondering. I believe this would probably stop it listening on port 443 and stop the gateway working altogether.

I am curious to know if your running Exchange 2007 either on a SBS 08 box or standalone because I've just discovered this awesome little hidden gem which allows you to access file shares through OWA.

Can't find a proper Microsoft Article on it but this guys written a decent setup guide.
http://www.bunkerhollow.com/blogs/matt/archive/2007/12/21/file-sharing-with-exchange-2007-outlook-web-access.aspx 

That will solve all your problems without needing a VPN.

Author

Commented:
oneitnz,

I figured that disabling TSWeb (IIS)  would stop communications over port 443 since port 443 is https.

We are not running exchange at all.  But thanks for the link, very interesting if we decide to implement exchange.

I get that RDP will be proxied over port 443 if using TSWEB, but is there a way to directly tell the RDP Client to use port 443 (or another port) for the TS Gateway?

I have tried to specify the port number in the TS Gateway settings in the client but I get an error.  I am guessing that the TSGateway defaults to port 3389, no matter what.  anyone agree with that statement?
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.